Recently, Trend Micro came across a high-risk Android app known as ANDROIDOS_STIP.A in Chile, which is making it possible to hack RFID payment cards. The app is seemingly distributed through blogs and forums and can be used to hack into the user’s RFID bus transit card in order to recharge the credits.
As a reaction to this, Rob Miller, Security Consultant at MWR InfoSecurity writes:
“The Bip card is based on the MIFARE classic card. This card is one of a range of RFID cards, each offering different levels of security for a relative cost. This particular type is one of the lowest cost cards available, but is also one of the most insecure. Methods to exploit this type of card were shown as early as 2007. Normally contactless smart cards contain sensitive information, so they protect this data using cryptographic functions that require the reader to know a key. The exploits found allow an attacker to recover data from the device and write new data to the device without initially knowing the key. In Bip's case, this exploit was built in to an Android app, which uses Android's NFC functionality to communicate with and edit the id and money values held on the owner's Bip card.
“This is not the first time that vulnerabilities in RFID card systems have been found and exploited. It is likely that many more examples exist waiting for a curious mind to discover. Tools can be freely downloaded to discover and exploit these issues making it accessible to anyone with time and the inclination to investigate them. Although the card system exploited could have been designed to be more secure with the same cards, for the most part it is always best to use modern card types instead. Of course choosing a more cryptographically secure card won't automatically lead to a secure product. Logical issues or security issues in the readers or other components of a solution can be just as problematic as the RFID card itself.
“ Ultimately developers of RFID solutions should make their choices knowing all of the vulnerabilities in their design, and the cost to their users when it is discovered and exploited. Yes the Classic has problems, but avoiding them doesn't automatically mean you're safe. When perfect security costs more than the company gains, it's always a balance between cost and risk. The trick is to make the decision with all the facts in hand.”